Re: Ecryption?

I would suggest using cookies. It would be easy to change the existing scripts to do this. The level of security would then depend on what is stored in the cookie. Typically, when I do this, I authenticate the user, and then create a random session variable in a database. The cookie will then only have the username and session variable - no password. Then on each call, I check that the session variable passed by the cookie is valid and that it is for the correct user.

See merlyn's node: Adding "state" to HTTP for other methods, then if you're still interested see the Web Techniques columns...

Afterthought: The other responses to this question deal more with encrypting the data. My method (I believe) is secure so long as you use SSL for the original authentication. It seems to me that your problem is not so much about "sniffing" but more that if someone leaves their pc while logged in, someone could come along, "view source" and see the password. Even if you encrypt the password using client-side script or MD5, then people can still impersonate other users because your script relies on the encrypted data being posted which doesn't change between logins. If you have a database of valid session IDs, then they are no longer valid once someone has logged off - i.e. next time they log in, they will have a different session ID.

$code or die
Using perl at
The Spiders Web

Comment on Re: Ecryption?

Replies are listed 'Best First'.
Re: Re: Ecryption? by Punto (Scribe) on Feb 18, 2001 at 04:37 UTC
So, for the encryption I could use 'MD5' (what is md5?), and a session ID system.. The session ID would be like the 'key', and I need it to decrypt the password on the server side, right? I know there is an apache module that takes care of the session ID thing. (thanks)	[reply]
Re: Re: Re: Ecryption? by Punto (Scribe) on Feb 18, 2001 at 05:19 UTC
actually (replying to myself) I'd make a 'digest' with the password and the session id, and post that on the forms, and authenticate against that. The problem is that the script is not saving the password as plaintext on the database (crypt()). I but I could still use it. Thanks! UPDATE: this is the solution I used after all. I get the session number from mod_session (apache module), and I create an 'md5_base64' string with that and the crypt()ed password (that's how the passwords are stored on the base), that's what I put on the forms. Thanks everyone for your help!	[reply]